CB0202 Posted September 25, 2020 ID:1409559 Share Posted September 25, 2020 I ran the program here are the screenshots. Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409575 Share Posted September 25, 2020 Hello cbeck and welcome to Malwarebytes, Run the following: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409583 Share Posted September 25, 2020 1st.pdf 2nd file.pdf Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409628 Share Posted September 25, 2020 Please do not save files in PDF format, follow the instructions and save as text files.... Did you set up the following targets and shortcuts..? Startup: C:\Users\Carrie Beck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RemoteDesktop.lnk [2020-02-11] ShortcutTarget: RemoteDesktop.lnk -> C:\Windows\System32\mstsc.exe (Microsoft Windows -> Microsoft Corporation) Startup: C:\Users\Carrie Beck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Temp.lnk [2020-02-12] ShortcutTarget: Temp.lnk -> C:\Users\Carrie Beck\Desktop\Carrie's Temp () Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409645 Share Posted September 25, 2020 I don't think i understand. Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409646 Share Posted September 25, 2020 FRST.txt Addition.txt Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409649 Share Posted September 25, 2020 I am not sure if you are asking me to set these up or if they are already set up. The first one should be my shortcut to get to my remote desktop online I would guess my boss set up the other too. Startup: C:\Users\Carrie Beck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RemoteDesktop.lnk [2020-02-11] ShortcutTarget: RemoteDesktop.lnk -> C:\Windows\System32\mstsc.exe (Microsoft Windows -> Microsoft Corporation) Startup: C:\Users\Carrie Beck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Temp.lnk [2020-02-12] ShortcutTarget: Temp.lnk -> C:\Users\Carrie Beck\Desktop\Carrie's Temp () Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409655 Share Posted September 25, 2020 OK, thanks for the information... Continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409664 Share Posted September 25, 2020 ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.HPNotifications Folder C:\Program Files (x86)\HP\HP NOTIFICATIONS Deleted Preinstalled.HPNotifications Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|HPNotifications Deleted Preinstalled.HPNotifications Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run|HPNotifications Deleted Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\Carrie Beck\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY Deleted Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6} Deleted Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT Deleted Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F} ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [2563 octets] - [25/09/2020 16:00:51] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## Scan Report.txt Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409665 Share Posted September 25, 2020 --------------------------------------------------------------------------------------- Microsoft Safety Scanner v1.0, (build 1.323.1875.0) Started On Fri Sep 25 16:06:53 2020 ->Scan ERROR: resource process://pid:124,ProcessStart:132455377345405715 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:516,ProcessStart:132455377364560859 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:740,ProcessStart:132455377427057384 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:828,ProcessStart:132455377432222762 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:836,ProcessStart:132455377432262546 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:900,ProcessStart:132455377433036132 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3480,ProcessStart:132455377443306759 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4468,ProcessStart:132455377448090831 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4972,ProcessStart:132455377449722763 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5052,ProcessStart:132455377449826983 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5248,ProcessStart:132455377450251715 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:10904,ProcessStart:132455377596751693 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:10288,ProcessStart:132455377600715592 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3268,ProcessStart:132455378653645004 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11772,ProcessStart:132455378666136292 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:8132,ProcessStart:132455378671612586 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4468,ProcessStart:132455377448090831 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:10904,ProcessStart:132455377596751693 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3268,ProcessStart:132455378653645004 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4972,ProcessStart:132455377449722763 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5052,ProcessStart:132455377449826983 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:10288,ProcessStart:132455377600715592 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:11772,ProcessStart:132455378666136292 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5248,ProcessStart:132455377450251715 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:8132,ProcessStart:132455378671612586 (code 0x00000005 (5)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource process://pid:4972,ProcessStart:132455377449722763 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5248,ProcessStart:132455377450251715 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4972,ProcessStart:132455377449722763 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:5248,ProcessStart:132455377450251715 (code 0x00000005 (5)) Results Summary: ---------------- No infection found. Microsoft Safety Scanner Finished On Fri Sep 25 16:08:54 2020 Return code: 0 (0x0) Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409667 Share Posted September 25, 2020 Part of AdwCleaner log is missing, can I see that please.. Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409669 Share Posted September 25, 2020 # ------------------------------- # Malwarebytes AdwCleaner 8.0.7.0 # ------------------------------- # Build: 07-22-2020 # Database: 2020-07-20.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 09-25-2020 # Duration: 00:00:01 # OS: Windows 10 Pro # Cleaned: 11 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.HPNotifications Folder C:\Program Files (x86)\HP\HP NOTIFICATIONS Deleted Preinstalled.HPNotifications Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|HPNotifications Deleted Preinstalled.HPNotifications Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run|HPNotifications Deleted Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE Deleted Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\Carrie Beck\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY Deleted Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6} Deleted Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT Deleted Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F} ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [2563 octets] - [25/09/2020 16:00:51] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409670 Share Posted September 25, 2020 Can I also see the log from FRST fix Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409671 Share Posted September 25, 2020 Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409673 Share Posted September 25, 2020 How does your PC respond now, any remaining issues or concerns...? Link to post Share on other sites More sharing options...
CB0202 Posted September 25, 2020 Author ID:1409675 Share Posted September 25, 2020 I have to figure out how to add my outlook, word etc back Link to post Share on other sites More sharing options...
kevinf80 Posted September 25, 2020 ID:1409681 Share Posted September 25, 2020 Can you expand on that please.. Link to post Share on other sites More sharing options...
CB0202 Posted September 28, 2020 Author ID:1410294 Share Posted September 28, 2020 I cannot open my outlook, word, or excel now. Link to post Share on other sites More sharing options...
kevinf80 Posted September 28, 2020 ID:1410307 Share Posted September 28, 2020 Do you receive a message like this "Exploit ROP gadget attack blocked" Link to post Share on other sites More sharing options...
CB0202 Posted September 28, 2020 Author ID:1410309 Share Posted September 28, 2020 Link to post Share on other sites More sharing options...
CB0202 Posted September 28, 2020 Author ID:1410310 Share Posted September 28, 2020 wait sorry, i think that was the wrong picture Here is the warning I got Link to post Share on other sites More sharing options...
kevinf80 Posted September 28, 2020 ID:1410312 Share Posted September 28, 2020 Can you open Malwarebytes then.. Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the RTP detection log which shows the Date and time of the Block just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Can you do that for the last 3 blocks.. Link to post Share on other sites More sharing options...
CB0202 Posted September 28, 2020 Author ID:1410316 Share Posted September 28, 2020 Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/25/20 Protection Event Time: 3:14 PM Log File: 47669aa4-ff63-11ea-a2f6-e8d8d13e5ef2.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30394 License: Premium -System Information- OS: Windows 10 (Build 19041.508) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212649m_.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: wbdistro.com IP Address: 3.20.70.173 Port: 443 Type: Outbound File: C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212649m_.exe (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/25/20 Protection Event Time: 10:46 AM Log File: e170b9d4-ff3d-11ea-87ba-e8d8d13e5ef2.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30386 License: Premium -System Information- OS: Windows 10 (Build 19041.508) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212503v_.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: wbdistro.com IP Address: 3.14.24.10 Port: 443 Type: Outbound File: C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212503v_.exe (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/25/20 Protection Event Time: 10:45 AM Log File: bece78ee-ff3d-11ea-9df0-e8d8d13e5ef2.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30386 License: Premium -System Information- OS: Windows 10 (Build 19041.508) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212502j_.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: wbdistro.com IP Address: 3.20.70.173 Port: 443 Type: Outbound File: C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212502j_.exe (end) Link to post Share on other sites More sharing options...
kevinf80 Posted September 28, 2020 ID:1410318 Share Posted September 28, 2020 Those blocks are related to an installer that you have in your downloads folder Quote File: C:\Users\Carrie Beck\Downloads\Click HERE to start the WebNavigator Browser Installer_212502j_.exe Did you d/l that installer yourself...? Link to post Share on other sites More sharing options...
CB0202 Posted September 28, 2020 Author ID:1410319 Share Posted September 28, 2020 those are the last three downloads. It would not let me install the program you wanted me to use. Then it finally did. Link to post Share on other sites More sharing options...
Recommended Posts